fedora-selinux-list Digest, Vol 13, Issue 16
Ryan Gall
rrcoot at verizon.net
Wed Mar 16 19:22:04 UTC 2005
> > #Context for the driver configuration files
> > /etc/ndiswrapper/ -- system_u:object_r:loadndis_content_t
>
> you probably want this:
>
> /etc/ndiswrapper(/.*)? system_u:object_r:loadndis_content_t
>
> so you can label all of the driver stuff tha'ts stored under that
> directory and it's subdirectories. I don't think your pattern will
> match anything.
>
Actually everything does get the correct labels here. I guess it is
setting the label on the ndiswrapper directory and then all the child
directories and files are inheriting that context.
> > # Filename: loadndis.te
>
> > #Rules for devices
> > allow loadndis_t device_t:dir { rw_dir_perms };
> > allow loadndis_t device_t:chr_file { read create unlink ioctl };
> > allow loadndis_t null_device_t:chr_file { rw_file_perms };
> > allow loadndis_t console_device_t:chr_file { rw_file_perms };
>
> It would be better for the device node to have its own type, and type
> transition the chr_file, that way loadndis_t can only read very specific
> device nodes:
>
> type loadndis_device_t, device_type, dev_fs;
> file_type_auto_trans(loadndis_t,device_t,loadndis_device_t,chr_file)
>
> Or if you really want to go least privilege, you could probably use
> these rules instead of the above file_type_auto_trans:
>
> allow loadndis_t device_t:dir { search write add_name remove_name };
> allow loadndis_t loadndis_device_t:chr_file { read create unlink ioctl };
> type_transition loadndis_t device_t:chr_file loadndis_device_t;
Thanks for the tip. I am assuming here that these transitions cause the
created device to be relabeled to the new loadndis_device_t, which would
then prevent it from messing around with other devices in device_t?
>
> > #Capabilities
> > allow loadndis_t self:capability { sys_tty_config };
> > allow loadndis_t self:capability { mknod };
>
> Just for readability, it would be best to merge these into one line.
> Just a little nitpick. :)
DOH!
>
> > #Rules for proc filesystem
> > allow loadndis_t proc_t:dir { r_dir_perms };
> > allow loadndis_t proc_t:file { r_file_perms };
>
> Another readability thing, you don't need the braces around r_dir_perms
> and r_file_perms, as these are macros, and they already provide braces.
> So the ones you have are redundant.
Thanks for the help Chris.
Ryan
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150
>
More information about the fedora-selinux-list
mailing list